[SONARSWIFT-454] Rule S2068: filter string literal that contains the wordlist item - SonarSource

XML

Word

Printable

Details

Type: False-Positive
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.3
Component/s: Rules
Labels:
- hardening
- security

Description

The implementation of this rule highly rely on symbol names matching wordlist items to raise issues. The downside of this is that it raises many FPs when constants are used to avoid duplicated stings:

let password = "Password" // Compliant
let password = "custom.password" // Compliant
password = "/users/resetUserPassword" // Compliant
foo(password:"password") // Compliant

var obj = MyClass()
obj.fieldNameWithPasswordInIt = "password" // Compliant

In most string constants use cases the wordlist item is present in both the symbol name and the string value.
The new approach is to avoid raising issues when the matched wordlist item is present in both symbol name and literal string value.

Exception made for the following use cases with query parameters that are still True Positives:

let params = "user=admin&password=Password123" // Sensitive
let connection = "pgsql:host=localhost port=5432 dbname=test user=postgres password=postgres" // Sensitive

See false-positives on Peach https://peach.sonarsource.com/issues?tags=sonarswift-454

Attachments

Issue Links

contributes to

MMF-2134 Enhanced hard-coded credentials detection (S2068) for Swift

Closed

implements

RSPEC-2068 Hard-coded credentials are security-sensitive

Active

Activity

People

Assignee:: Arseniy Zaostrovnykh

Reporter:: Pierre-Loup Tristant

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 09/Nov/20

Created:: 14/Sep/20 5:44 PM

Updated:: 06/Nov/20 10:46 AM

Resolved:: 04/Nov/20 3:23 PM